There is an unavoidable pattern in new technology: First we get the benefits, followed by the side effects and unintended consequences. Those side effects cover the gamut, but if the new technology is connected, one concern is sure to be security. And prudence dictates we get out in front of those concerns.
Whenever technology is connected, it’s possible that more than just the intended users will take advantage of its capabilities. I’ve heard some novel takes on exploiting connectivity. One of my favorite anecdotes comes from a fishing tournament where someone realized that many of the boats used LiFePO4 batteries with Bluetooth-connected management systems. Many of those systems don’t have any security measures, so it’s trivially easy for someone to download an app and turn off the batteries. Fortunately, there is an easy solution: A PIN or passcode securing any changes can eliminate this vulnerability.
While turning off house batteries on shore might be mere mischief, remotely accessing and controlling systems on an offshore cruising boat could be dangerous. And the same marine networks that make sharing data between instruments easy can also be leveraged to stalk a boat. Accessing navigation networks may provide a pathway to even worse outcomes. For example, manipulating position or depth data potentially imperils the safety of the boat and those on board.
Automotive technology trends tend to provide an indicator of where the marine market is headed. More than a decade ago, the automotive industry began including cellular connectivity in most new cars. That connectivity provides for remote control of systems and remote telemetry for manufacturers. It turns out that connectivity also provides a pathway into cars’ systems for those with ill intentions. So manufacturers have had to up their security game.
Among several major boatbuilders I spoke with, however, cybersecurity concerns were not yet on the radar. I suspect that will soon change as boats become ever more reliant on technology, and as that technology becomes even more connected.
Low earth orbit satellite connectivity, especially Starlink, has resulted in many more boats leaving the dock with an active internet connection. Connectivity can be a huge boon for safety, providing up-to-the-minute weather, easy shoreside tracking of boats, and emergency communications. But that connectivity also provides opportunities for hackers to access on-board systems and potentially disrupt operations. Remotely controlling a digital switching system for a boat underway may result in the loss of navigation electronics, running lights and other critical safety systems.
Our current networks also present another potential vector for attack. NMEA 2000 networks that carry most navigation and instrumentation data have no network-level access control. Installing a new device on the network means screwing that device to a T-connector and possibly adding a new T to the network. Once this physical connection is made, the NMEA 2000 network has no concept of authorized and unauthorized devices. So anything on the network is allowed to read all available data and talk to all the other devices on the network. Devices join the network silently with no notification that something new is connected.
Digital Yacht, a U.K.-based manufacturer of electronics equipment, introduced Net Protect as the first cybersecurity product focused on NMEA 2000. Net Protect tests and validates an NMEA 2000 network at installation, then monitors it 24/7. It alerts the boat owner to changes on the network, uncertified equipment, firmware changes and more.
Currently, that information is displayed in a web page if a boat owner connects to it. But as Digital Yacht CEO Nick Heyes explains, “NetProtect is coming as a Garmin OneHelm app, so it means every Garmin display can now have network protection as an option on-screen.”
The National Marine Electronics Association publishes networks standards, including NMEA 0183, NMEA 2000 and NMEA OneNet. OneNet is an Ethernet-based standard intended to underpin increasingly complex navigation and instrumentation networks. In defining OneNet, the NMEA prominently called out that the network is designed “to facilitate the safe and secure communication and operations among equipment.”
As Mark Oslund, NMEA’s director of standards, explains, “OneNet was created from the ground up with a focus on securing the network and ensuring safe and secure data network operations on board.”
When NMEA 2000 was conceived, navigation networks were not connected to other networks or to the internet. OneNet is newer, but as Oslund says, “Security is a moving target. We built encryption into the network, and now we work to improve OneNet as new security hardening is required. It’s going to take effort from our industry to build the knowledge base that ensures technicians are part of the security mitigation for now.”
In Europe, government regulation is providing much of the drive for more security in on-board networks. The EU’s NIS2 security directive outlines security requirements for numerous industries including transportation. One of the main requirements of NIS2 is that networks employ zero trust, a security paradigm in which all users and devices must be verified to gain access to anything on the network. OneNet may provide a layered approach, depending on the users’ security preferences.
Oslund says version 2 of OneNet is already in development, following the global trend toward zero trust security: “We are trying to weigh all the factors to secure networks and retain easy interoperability.”
This December, the University of North Carolina at Wilmington will host the second annual CyberBoat Challenge to raise awareness of cybersecurity challenges on the water. The event includes classes to familiarize students with systems, followed by assessments of the cybersecurity posture of those systems.
Most boaters are unaware of potential cybersecurity issues. However, there is an implicit expectation that builders will deliver modern boats suitable for use with current technology. So although cybersecurity may not be on their radar today, it is likely that will change in the near future.
